I think I've got it now, at least I can't find a way to cause it to fail in "playtoy mode". A replacement passwd.cgi follows. Below that is a "playtoy" that can be run from the command line to check out

However, the code you suggested cut out the last display that tells the user if there was an error or if it was successfull. I need this for the users.

When I add that back in between the wait and the expect eof, it still changes the password, but it does not display the message.

I am still working on this.

If you have a solution in the next day or so I will increase your points and accept the answer. If not, in a couple of days...I will accept the answer as is because it was a very good lead to the answer.

I don't think the "wait -nowait" is the solution. That, "causes the wait to return immediately with the indication of a successful wait".

Let me look at something else, I just found what might be a slight variation in the behaviour of "passwd" (when presented with an invalid second password) depending on what patches are installed. I think I need a more general closure section. Shortly...

I've made some progess. Interestingly, I've found lots of ways to get it to fail amoung my 2.6, 2.7, & 2.8 systems. I think I've pretty well sorted out and accounted for the differences, but I'd like to do one last round of tests before I post the results. Say tomorrow as it's late and the regression test takes a while to work through all the ways I know it can fail.

I think I've got it now, at least I can't find a way to cause it to fail in "playtoy mode". A replacement passwd.cgi follows. Below that is a "playtoy" that can be run from the command line to check out the expect script without having to go through a web server.

---snip,snip - begin passwd.cgi---
#!/depot/path/expect --

# This is a CGI script to process requests created by the accompanying
# passwd.html form. This script is pretty basic, although it is
# reasonably robust. (Purposely intent users can make the script bomb
# by mocking up their own HTML form, however they can't expose or steal
# passwords or otherwise open any security holes.) This script doesn't
# need any special permissions. The usual (ownership nobody) is fine.
#
# With a little more code, the script can do much more exotic things -
# for example, you could have the script:
#
# - telnet to another host first (useful if you run CGI scripts on a
# firewall), or
#
# - change passwords on multiple password server hosts, or
#
# - verify that passwords aren't in the dictionary, or
#
# - verify that passwords are at least 8 chars long and have at least 2
# digits, 2 uppercase, 2 lowercase, or whatever restrictions you like,
# or
#
# - allow short passwords by responding appropriately to passwd
#
# and so on. Have fun!
#
# Don Libes, NIST

# Need to su first to get around passwd's requirement that passwd cannot
# be run by a totally unrelated user. Seems rather pointless since it's
# so easy to satisfy, eh?
#
# Change following appropriately for your site.
#
# Solaris 2.6 & later needs the -r option to specify which
# password service (files, nis, nisplus) see man passwd. Linux
# has passwd in a different location and doesn't need the
# service specification. (Note that I no longer have anything
# earlier than 2.6 to test with, you've been warned... there be
# dragons here).
#
# BIG NOTE!!! Linux has to have the "sleep 1" between each of
# the "expect/send" pairs. It puts out the prompt before it's actually
# ready to take input. You can comment them out for Solaris, but
# it doesn't hurt for them to be there and might be a plus
# busy server. (there be really big dragons here...)
#

#
# This is a playtoy for testing the passwd.cgi script without actually
# having to use a web server. The tcl code above fills in the variables
# that the cgi would have and redirects the output to our terminal.
# Everything below can be simply pasted over the expect script
# portion of passwd.cgi.

# Need to su first to get around passwd's requirement that passwd cannot
# be run by a totally unrelated user. Seems rather pointless since it's
# so easy to satisfy, eh?

# Change following appropriately for your site.
#
# Solaris 2.6 & later needs the -r option to specify which
# password service (files, nis, nisplus) see man passwd. Linux
# has passwd in a different location and doesn't need the
# service specification. (Note that I no longer have anything
# earlier than 2.6 to test with, you've been warned... there be
# dragons here).
#
# BIG NOTE!!! Linux has to have the "sleep 1" between each of
# the "expect/send" pairs. It puts out the prompt before it's actually
# ready to take input. You can comment them out for Solaris, but
# it doesn't hurt for them to be there and might be a plus
# busy server. (there be really big dragons here...)
#

Featured Post

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Hello fellow BSD lovers,
I've created a patch process for patching openjdk6 for BSD (FreeBSD specifically), although I tried to keep all BSD versions in mind when creating my patch.
Welcome to OpenJDK6 on BSD
First let me start with a little …

Learn how to navigate the file tree with the shell.
Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…